CVE-2025-13342

CRITICAL EXPLOITED

Frontend Admin by DynamiApps <3.28.20 - Info Disclosure

Title source: llm

Description

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthorized modification of arbitrary WordPress options in all versions up to, and including, 3.28.20. This is due to insufficient capability checks and input validation in the ActionOptions::run() save handler. This makes it possible for unauthenticated attackers to modify critical WordPress options such as users_can_register, default_role, and admin_email via submitting crafted form data to public frontend forms.

Exploits (2)

nomisec WORKING POC
by Nxploited · remote
https://github.com/Nxploited/CVE-2025-13342
nomisec WORKING POC
by Altelus1 · remote
https://github.com/Altelus1/CVE-2025-13342

References (2)

Scores

CVSS v3 9.8
EPSS 0.0005
EPSS Percentile 15.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-12-03
CWE
CWE-862
Status published
Products (1)
shabti/Frontend Admin by DynamiApps < 3.28.20
Published Dec 03, 2025
Tracked Since Feb 18, 2026